November 23, 2022
SI in conversation with.. Lee Whatford, CISO at Dominos
For the next interview in our series, we were delighted to catch up with Lee Whatford to discuss the key skills a CISO needs in 2022, tips for successfully managing relationships with the board and how to keep your security function agile!

“It’s a misconception that CISOs need to have in depth technical knowledge – in fact, they need to understand people, processes and how security contributes to business outcomes, and be able to communicate that effectively to the board.”

Lee, please could you tell us more about your journey into security and to your role now as CISO for Dominos?

Of course, I’ve had a very varied journey, so I’ll try to condense it! I originally started out in customer service and account management, firstly in telecoms and then within the software industry. As part of my account management role, I was responsible for managing large software agreements for large UK public and private sector organisations. I remember one occasion where one of our customers was hit with one of the first worms and it completely took down their IT. That was a real trigger point for me that sparked my interest in security and started me on the long journey. Within this role I also learnt that, from the sales perspective, if I could understand the customer and provide a service that truly helped them, then everyone would win.  

I spent a lot of time in the world of software and professional services, and I started to see that technology on its own won’t provide effective solutions or answers to business problems. You need to have people who understand how to select and use the technology, how to implement it properly, and that effective processes are central to this as well.  

For a couple of years, I then began my own start-up and so became involved in many other aspects of the business, such as marketing. I learnt many valuable lessons, particularly around vendor partnering, and I often think that that’s why I’m often very sceptical and can see through many vendor promises now as a CISO, because I’ve been on the other side!  

From the world of start-ups, I then moved to the multi-national Protiviti in a senior advisor capacity and then onto Hewlett Packard Enterprise as part of their global Security Operations Centre consulting function, helping large clients address their Detect and Respond opportunities for improvement. I then took the leap over the fence client-side taking on the role of head of technology and security operations, at Whitbread leading the teams looking after Premier Inn and Costa Coffee. Following an interim role at NFU Mutual, and just before lockdown in 2020, I was really pleased to join as CISO at Domino’s UK&I.

As you say, you’ve had a very varied journey Lee, and you've been involved in a range of industries, roles, and types of businesses. Do you think you look at things differently to other CISOs given your commercially rounded journey?

Yes, I think so. One of the biggest differences is the understanding that I don’t need to have an in-depth knowledge of every piece of technology, as I have a fantastic team of people who have those skills. Actually, it is much more important for me as a CISO to be able to understand what the business does and cares about. As I mentioned, I’ve run my own business, so I’ve been involved in marketing and sales among other aspects of the business, so I’ve seen first-hand how critical it is to understand how to achieve your commercial goals if you want to succeed. You won’t truly succeed as a CISO if you're trying to protect a business that you don’t understand.  

I also think the skills so central to sales and marketing - positioning, messaging, budgeting and communications – are vitally important in the role of the CISO, particularly in managing your relationships with stakeholders and the wider business. For example, as part of your role you will need to work with your CIO and CFO, likely trying to convince them to give you more budget! By being able to fully understand what the business is trying to achieve, you’ll be able to have those conversations around the right investment decisions and how that can help them to achieve their overall business objectives.

CISOs that are brought up through standard tech streams often have extremely strong technical knowledge, but don’t have the experience of having these commercial conversations at board level. As CISOs, we need to be talking about the wider business, and the people and processes that sit behind the tech, to communicate effectively to stakeholders and to ensure that the business is managing it’s risk effectively.

And do you think that the importance of these business skills is understood by most businesses, or is it still a fairly new way of thinking in the industry?  

I think this is emerging more and more, however it’s currently a ‘pre-trend,’ and I’m not sure a lot of businesses actually understand what they should be looking for in a CISO or the level that they should be hiring at. Many boards still think tech can solve all of their problems - that they can roll out shiny new toys and their security problems will be solved. One tip I can give to a business looking for a CISO or Head of Infosec, is that it is so important that they have the skills to be able to understand the business a whole and speak to business outcomes if they are ever going to be able to properly apply security solutions. There are also a variety of factors that should be considered when assessing the role, skills, background and budget and in fact whether to even hire directly or outsource.  

Through many conversations I’ve been having recently, I do think the industry is changing slowly, and the biggest shift that we need to make, in my opinion, for most large organisations, is to have reporting lines outside of IT, ideally directly into CFO or even COO. The security team should be working at board level to deal with cyber risk management as a strategic goal. This approach also removes conflicts of interest and ensures more effective oversight. Although this might not be the case for everyone!  

With your strong commercial background and experience in business management and consultancy, you will no doubt be a pro in managing senior stakeholder relationships. What advice would you have for CISOs who are trying to build up a good relationship with their board? Are there any top tips you could share for achieving buy in and effectively communicating your security vision with stakeholders?  

I think firstly we should acknowledge that it can be a real challenge to have a broad conversation about cyber security with the board. Everyone on the board has their own priorities and KPIs depending on their function - supply chain will have different targets to the CIO or the CMO. Everyone has very different goals and measures of success, and as a CISO you need to learn about, and understand, those differences. As we all know, people buy from people, so I take my previous experience as an account manager, and I apply it to my relationships with the board.  

My top tip for someone struggling to get their message across to the board is to organise a coffee with each individual stakeholder and understand what their world is like. Talk about what they do and how they do it, so you can build up a relationship and find out what makes them tick. Instead of talking about ransomware, ask them which suppliers they couldn’t do without for two weeks if faced with an incident, and their answers will give you your targets for third-party risk. When talking to the CFO, understand how you can help them to protect their bottom line.  

It again comes back to understanding business outcomes. How can you as a CISO help them to achieve their strategic goals, objectives, and ultimately, their bonuses? Once you have this insight you can go back to the board to discuss cyber security in a way that matters to each department, and in a targeted way to explain how cyber security will help them and the business overall.

How has 2022 been for you so far? Have there been any specific security challenges that you’ve been focused on?

In 2022 we’ve been coming to the end of a three-year security transformation strategy. Over the last three years we faced challenges, like all businesses during the Covid lockdown, but we were lucky that, due to how we operate, we were one of the few food delivery services able to stay open. We experienced an increase in costs, but also an increase in sales, and we also saw a rapid acceleration in innovation. Within security, we have therefore had to accelerate just as quickly to meet business needs, and we’re now looking at lots of exciting ways to better engage with our customers, as well as new routes to market.

We now all face both the energy and cost of living crisis, and business strategy has to adapt and pivot in response to economic conditions. An understanding of the business environment, and the unique challenges we face in 2022, is critical when it comes to managing risk. To be able to manage and deal with risk as a business we need to be able to focus and prioritise, to understand our exposure points and whether we need to address them.  

To do this we try to demonstrate an accelerated journey for our stakeholders– 1) here is your risk, 2) here are your options a, b, or c, 3) if you choose a, it will take you here, whereas b and c will take you here. This creates a process of business-driven prioritisation and helps the board to make decisions on how to mitigate risks. As a security team we can provide various solutions and options, but there should always be a business-based risk ownership model that results in business-based decisions.  

We'd love to hear more about the most effective strategies you've found to keep your security team agile, whilst still transforming organisational maturity and capabilities?  

Sure, so first I’ll explain how I definitely don’t approach security.  

Within the industry one of my biggest bug bears is vendor product marketing. Vendors are driving the market by encouraging security teams to buy more and more shiny tech, and promising ‘silver bullet’ purchases before even trying to understand business requirements. I really disagree with the compliance driven angle, where you aim to just tick a box without much (or often any) business context or understanding of the threats you face. This approach typically misses critical points, usually business context, alignment to threats and an appropriate view of your risk posture.

The result is that a lot of businesses build big programmes around security awareness and asset / vulnerability management for example without thinking about the threats they face and therefore the problems they are really trying to solve.

I always consider the cost of doing security compared to the Return on Investment and Value Realisation. Therefore, my approach to keeping my team agile and a programme that provides value to the business, is to keep a threat centric, risk-based approach to everything we do. Security controls need to provide both a reasonable baseline (think patching, MFA etc) but also intrinsically linked to both our important assets, and the adversaries that we face, giving us a unique risk profile. By rethinking the way we look at for example vulnerability management and awareness programmes, by becoming far more targeted on our approach, we can be focused on what really matters to the business, and in turn get much closer to answering the million dollar question  ‘how secure are we?’.  

Using a proactive approach of intelligence driven breach/attack simulation and control validation we are able to focus on the vulnerabilities that really matter to our business, helping reduce a typical vulnerability list of thousands down to a much more manageable and prioritised list, even just a handful. As an example, our VM tools might be telling us that a vulnerability is exploitable (or indeed being exploited) and we should fix it, but if the vulnerability is near the end of an otherwise robust Kill Chain of controls, or the actors exploiting it are only known to target say the Energy sector and you’re in retail, we don’t need to worry so much.

Thanks so much for sharing that Lee, and many of the vendor issues you’ve mentioned are very close to our heart and the approach we’re trying to change in the industry as well. Turning back now to your role, what do you enjoy most about the role of CISO?  

For me it has to be the variety of the role – you never know what is going to be happening each day and that’s exciting. In the role of a CISO, in one meeting we’re discussing the detail of DevSecOps code, and the next planning our security strategy, when we get interrupted and have to pivot into major incident mode. I think this is what keeps most security professionals interested – the variety day-to-day in what we could be dealing with and the opportunity to work with colleagues across the whole business.

And finally, is there a moment that you are most proud of in your career?  

My proudest moment was back when I worked at NCC Group. I led the team who built their original Managed Vulnerability Management Service, giving our customers a much more regular and consistent view of vulnerabilities and some expert resource on hand to guide and advise. On one particular occasion our team found something unusual in one of the scans, and when we investigated, we found that our customers’ entire customer base was accessible online due to a misconfigured FTP server. We obviously alerted our customer straight away, and they then called me to let me know that I had probably saved their job.

That call was a real highlight of my career, knowing that we averted a crisis before it happened, and that’s something that I still strive for today!

Thank you so much for your time today, Lee!

Sign up to our newsletter to receive the latest updates